677 lines
No EOL
64 KiB
JSON
677 lines
No EOL
64 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2015-04-13",
|
|
"extends_uuid": "",
|
|
"info": "OSINT APT30 detection rules Loki Scanner Yara rules by Florian Roth",
|
|
"publish_timestamp": "1521408461",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1521406650",
|
|
"uuid": "56129bd3-3538-4b5a-b6b4-4a06950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:threat-actor=\"APT 30\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060129",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56129be1-3cdc-49b3-aafa-41d1950d210b",
|
|
"value": "https://github.com/Neo23x0/Loki/blob/master/signatures/apt_apt30_backspace.yar"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060140",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "56129bec-87ec-4c49-9d03-4f19950d210b",
|
|
"value": "APT30"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060152",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129bf8-7674-40ec-9c36-4ac0950d210b",
|
|
"value": "rule APT30_Generic_H {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file db3e5c2f2ce07c2d3fa38d6fc1ceb854\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"2a4c8752f3e7fde0139421b8d5713b29c720685d\"\r\n\t\thash2 = \"4350e906d590dca5fcc90ed3215467524e0a4e3d\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\Temp1020.txt\" fullword ascii\r\n\t\t$s1 = \"Xmd.Txe\" fullword ascii\r\n\t\t$s2 = \"\\\\Internet Exp1orer\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060162",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c02-8b84-4214-8e16-4cf5950d210b",
|
|
"value": "rule APT30_Sample_2 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file c4dec6d69d8035d481e4f2c86f580e81\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"0359ffbef6a752ee1a54447b26e272f4a5a35167\"\r\n\tstrings:\r\n\t\t$s0 = \"ForZRLnkWordDlg.EXE\" fullword wide\r\n\t\t$s1 = \"ForZRLnkWordDlg Microsoft \" fullword wide\r\n\t\t$s9 = \"ForZRLnkWordDlg 1.0 \" fullword wide\r\n\t\t$s11 = \"ForZRLnkWordDlg\" fullword wide\r\n\t\t$s12 = \" (C) 2011\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060173",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c0d-a0b8-440f-bbcc-4f51950d210b",
|
|
"value": "rule APT30_Sample_3 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 59e055cee87d8faf6f701293e5830b5a\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"d0320144e65c9af0052f8dee0419e8deed91b61b\"\r\n\tstrings:\r\n\t\t$s5 = \"Software\\\\Mic\" ascii\r\n\t\t$s6 = \"HHOSTR\" ascii\r\n\t\t$s9 = \"ThEugh\" fullword ascii\r\n\t\t$s10 = \"Moziea/\" ascii\r\n\t\t$s12 = \"%s%s(X-\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060183",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c17-95f4-4dd4-9c69-42fb950d210b",
|
|
"value": "rule APT30_Generic_C {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 0c4fcef3b583d0ffffc2b14b9297d3a4\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"8667f635fe089c5e2c666b3fe22eaf3ff8590a69\"\r\n\t\thash2 = \"0c4fcef3b583d0ffffc2b14b9297d3a4\"\r\n\t\thash3 = \"37aee58655f5859e60ece6b249107b87\"\r\n\t\thash4 = \"4154548e1f8e9e7eb39d48a4cd75bcd1\"\r\n\t\thash5 = \"a2e0203e665976a13cdffb4416917250\"\r\n\t\thash6 = \"b4ae0004094b37a40978ef06f311a75e\"\r\n\t\thash7 = \"e39756bc99ee1b05e5ee92a1cdd5faf4\"\r\n\tstrings:\r\n\t\t$s0 = \"MYUSER32.dll\" fullword ascii\r\n\t\t$s1 = \"MYADVAPI32.dll\" fullword ascii\r\n\t\t$s2 = \"MYWSOCK32.dll\" fullword ascii\r\n\t\t$s3 = \"MYMSVCRT.dll\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060210",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c32-841c-4221-970f-4dfb950d210b",
|
|
"value": "rule APT30_Sample_4 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 6ba315275561d99b1eb8fc614ff0b2b3\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"75367d8b506031df5923c2d8d7f1b9f643a123cd\"\r\n\tstrings:\r\n\t\t$s0 = \"GetStartupIn\" ascii\r\n\t\t$s1 = \"enMutex\" ascii\r\n\t\t$s2 = \"tpsvimi\" ascii\r\n\t\t$s3 = \"reateProcesy\" ascii\r\n\t\t$s5 = \"FreeLibr1y*S\" ascii\r\n\t\t$s6 = \"foAModuleHand\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060225",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c41-52d8-4d9f-b8ad-45b9950d210b",
|
|
"value": "rule APT30_Sample_5 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file ebf42e8b532e2f3b19046b028b5dfb23\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"1a2dd2a0555dc746333e7c956c58f7c4cdbabd4b\"\r\n\tstrings:\r\n\t\t$s0 = \"Version 4.7.3001\" fullword wide\r\n\t\t$s1 = \"Copyright (c) Microsoft Corporation 2004\" fullword wide\r\n\t\t$s3 = \"Microsoft(R) is a registered trademark of Microsoft Corporation in the U\" wide\r\n\t\t$s7 = \"msmsgs\" fullword wide\r\n\t\t$s10 = \"----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060235",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c4b-7d34-4da2-b16a-43ad950d210b",
|
|
"value": "rule APT30_Sample_6 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file ee1b23c97f809151805792f8778ead74\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"00e69b059ad6b51b76bc476a115325449d10b4c0\"\r\n\tstrings:\r\n\t\t$s0 = \"GreateProcessA\" fullword ascii\r\n\t\t$s1 = \"Ternel32.dll\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060245",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c55-fbc4-43f4-87df-48ac950d210b",
|
|
"value": "rule APT30_Sample_7 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 74b87086887e0c67ffb035069b195ac7\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"868d1f4c106a08bd2e5af4f23139f0e0cd798fba\"\r\n\tstrings:\r\n\t\t$s0 = \"datain\" fullword ascii\r\n\t\t$s3 = \"C:\\\\Prog\" ascii\r\n\t\t$s4 = \"$LDDATA$\" ascii\r\n\t\t$s5 = \"Maybe a Encrypted Flash\" fullword ascii\r\n\t\t$s6 = \"Jean-loup Gailly\" ascii\r\n\t\t$s8 = \"deflate 1.1.3 Copyright\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060258",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c62-ad74-4d36-9308-4fdd950d210b",
|
|
"value": "rule APT30_Generic_E {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 8ff473bedbcc77df2c49a91167b1abeb\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"1dbb584e19499e26398fb0a7aa2a01b7\"\r\n\t\thash2 = \"572c9cd4388699347c0b2edb7c6f5e25\"\r\n\t\thash3 = \"8ff473bedbcc77df2c49a91167b1abeb\"\r\n\t\thash4 = \"a813eba27b2166620bd75029cc1f04b0\"\r\n\t\thash5 = \"b5546842e08950bc17a438d785b5a019\"\r\n\tstrings:\r\n\t\t$s0 = \"Nkfvtyvn}\" ascii\r\n\t\t$s6 = \"----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060269",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c6d-4898-4710-b4f4-423e950d210b",
|
|
"value": "rule APT30_Sample_8 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 44b98f22155f420af4528d17bb4a5ec8\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"9531e21652143b8b129ab8c023dc05fef2a17cc3\"\r\n\tstrings:\r\n\t\t$s0 = \"ateProcessA\" ascii\r\n\t\t$s1 = \"Ternel32.dllFQ\" fullword ascii\r\n\t\t$s2 = \"StartupInfoAModuleHand\" fullword ascii\r\n\t\t$s3 = \"OpenMutex\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060284",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c7c-f624-41a4-92ed-4473950d210b",
|
|
"value": "rule APT30_Generic_B {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 29395c528693b69233c1c12bef8a64b3\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"0fcb4ffe2eb391421ec876286c9ddb6c\"\r\n\t\thash2 = \"29395c528693b69233c1c12bef8a64b3\"\r\n\t\thash3 = \"4c6b21e98ca03e0ef0910e07cef45dac\"\r\n\t\thash4 = \"550459b31d8dabaad1923565b7e50242\"\r\n\t\thash5 = \"65232a8d555d7c4f7bc0d7c5da08c593\"\r\n\t\thash6 = \"853a20f5fc6d16202828df132c41a061\"\r\n\t\thash7 = \"ed151602dea80f39173c2f7b1dd58e06\"\r\n\tstrings:\r\n\t\t$s2 = \"Moziea/4.0\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060295",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129c87-2368-40ae-8cbf-4911950d210b",
|
|
"value": "rule APT30_Generic_I {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file fe211c7a081c1dac46e3935f7c614549\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"fe211c7a081c1dac46e3935f7c614549\"\r\n\t\thash2 = \"8c9db773d387bf9b3f2b6a532e4c937c\"\r\n\tstrings:\r\n\t\t$s0 = \"Copyright 2012 Google Inc. All rights reserved.\" fullword wide\r\n\t\t$s1 = \"(Prxy%c-%s:%u)\" fullword ascii\r\n\t\t$s2 = \"Google Inc.\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060306",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56129c92-0aec-44e1-8c72-4ac7950d210b",
|
|
"value": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060357",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129cc5-69d4-4104-872f-47a1950d210b",
|
|
"value": "rule APT30_Sample_9 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file e3ae3cbc024e39121c87d73e87bb2210\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"442bf8690401a2087a340ce4a48151c39101652f\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\Windo\" ascii\r\n\t\t$s2 = \"oHHOSTR\" ascii\r\n\t\t$s3 = \"Softwa]\\\\Mic\" ascii\r\n\t\t$s4 = \"Startup'T\" ascii\r\n\t\t$s6 = \"Ora\\\\%^\" ascii\r\n\t\t$s7 = \"\\\\Ohttp=r\" ascii\r\n\t\t$s17 = \"help32Snapshot0L\" ascii\r\n\t\t$s18 = \"TimUmoveH\" ascii\r\n\t\t$s20 = \"WideChc[lobalAl\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060371",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129cd3-596c-4547-b375-42c8950d210b",
|
|
"value": "rule APT30_Sample_10 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 8c713117af4ca6bbd69292a78069e75b\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"eb518cda3c4f4e6938aaaee07f1f7db8ee91c901\"\r\n\tstrings:\r\n\t\t$s0 = \"Version 4.7.3001\" fullword wide\r\n\t\t$s1 = \"Copyright (c) Microsoft Corporation 2004\" fullword wide\r\n\t\t$s2 = \"Microsoft(R) is a registered trademark of Microsoft Corporation in the U\" wide\r\n\t\t$s3 = \"!! Use Connect Method !!\" fullword ascii\r\n\t\t$s4 = \"(Prxy%c-%s:%u)\" fullword ascii\r\n\t\t$s5 = \"msmsgs\" fullword wide\r\n\t\t$s18 = \"(Prxy-No)\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060384",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129ce0-5b80-4682-9572-4f8c950d210b",
|
|
"value": "rule APT30_Sample_11 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file d97aace631d6f089595f5ce177f54a39\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"59066d5d1ee3ad918111ed6fcaf8513537ff49a6\"\r\n\tstrings:\r\n\t\t$s0 = \"System\\\\CurrentControlSet\\\\control\\\\ComputerName\\\\ComputerName\" fullword ascii\r\n\t\t$s1 = \"msofscan.exe\" fullword wide\r\n\t\t$s2 = \"Mozilla/4.0 (compatible; MSIE 5.0; Win32)\" fullword ascii\r\n\t\t$s3 = \"Microsoft? is a registered trademark of Microsoft Corporation.\" fullword wide\r\n\t\t$s4 = \"Windows XP Professional x64 Edition or Windows Server 2003\" fullword ascii\r\n\t\t$s9 = \"NetEagle_Scout - \" fullword ascii\r\n\t\t$s10 = \"Server 4.0, Enterprise Edition\" fullword ascii\r\n\t\t$s11 = \"Windows 3.1(Win32s)\" fullword ascii\r\n\t\t$s12 = \"%s%s%s %s\" fullword ascii\r\n\t\t$s13 = \"Server 4.0\" fullword ascii\r\n\t\t$s15 = \"Windows Millennium Edition\" fullword ascii\r\n\t\t$s16 = \"msofscan\" fullword wide\r\n\t\t$s17 = \"Eagle-Norton360-OfficeScan\" fullword ascii\r\n\t\t$s18 = \"Workstation 4.0\" fullword ascii\r\n\t\t$s19 = \"2003 Microsoft Office system\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 250KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060397",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129ced-e398-4c00-9700-42b5950d210b",
|
|
"value": "rule APT30_Sample_12 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file c95cd106c1fecbd500f4b97566d8dc96\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"b02b5720ff0f73f01eb2ba029a58b645c987c4bc\"\r\n\tstrings:\r\n\t\t$s0 = \"Richic\" fullword ascii\r\n\t\t$s1 = \"Accept: image/gif, */*\" fullword ascii\r\n\t\t$s2 = \"----------------g_nAV=%d,hWnd:0x%X,className:%s,Title:%s,(%d,%d,%d,%d),BOOL=%d\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 250KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060406",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129cf6-4210-4c03-afad-42e1950d210b",
|
|
"value": "rule APT30_Sample_13 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 95bb314fe8fdbe4df31a6d23b0d378bc\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"a359f705a833c4a4254443b87645fd579aa94bcf\"\r\n\tstrings:\r\n\t\t$s0 = \"msofscan.exe\" fullword wide\r\n\t\t$s1 = \"Microsoft? is a registered trademark of Microsoft Corporation.\" fullword wide\r\n\t\t$s2 = \"Microsoft Office Word Plugin Scan\" fullword wide\r\n\t\t$s3 = \"? 2006 Microsoft Corporation. All rights reserved.\" fullword wide\r\n\t\t$s4 = \"msofscan\" fullword wide\r\n\t\t$s6 = \"2003 Microsoft Office system\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060415",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129cff-6058-440d-ae59-46e6950d210b",
|
|
"value": "rule APT30_Sample_14 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 6f931c15789d234881be8ae8ccfe33f4\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"b0740175d20eab79a5d62cdbe0ee1a89212a8472\"\r\n\tstrings:\r\n\t\t$s0 = \"AdobeReader.exe\" fullword wide\r\n\t\t$s1 = \"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy\" fullword ascii\r\n\t\t$s4 = \"10.1.7.27\" fullword wide\r\n\t\t$s5 = \"Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All ri\" wide\r\n\t\t$s8 = \"Adobe Reader\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060729",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e39-d688-4db2-a37d-4168950d210b",
|
|
"value": "rule APT30_Sample_15 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file e26a2afaaddfb09d9ede505c6f1cc4e3\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"7a8576804a2bbe4e5d05d1718f90b6a4332df027\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\Windo\" ascii\r\n\t\t$s2 = \"HHOSTR\" ascii\r\n\t\t$s3 = \"Softwa]\\\\Mic\" ascii\r\n\t\t$s4 = \"Startup'T\" fullword ascii\r\n\t\t$s17 = \"help32Snapshot0L\" fullword ascii\r\n\t\t$s18 = \"TimUmoveH\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060740",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e44-9ab4-4585-8c71-43b3950d210b",
|
|
"value": "rule APT30_Sample_16 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 37e568bed4ae057e548439dc811b4d3a\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"066d06ac08b48d3382d46bbeda6ad411b6d6130e\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\Temp1020.txt\" fullword ascii\r\n\t\t$s1 = \"cmcbqyjs\" fullword ascii\r\n\t\t$s2 = \"SPVSWh\\\\\" fullword ascii\r\n\t\t$s4 = \"PSShxw@\" fullword ascii\r\n\t\t$s5 = \"VWhHw@\" fullword ascii\r\n\t\t$s7 = \"SVWhHw@\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060749",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e4d-c8d8-4391-9dde-4845950d210b",
|
|
"value": "rule APT30_Generic_A {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file af1c1c5d8031c4942630b6a10270d8f4\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"9f49aa1090fa478b9857e15695be4a89f8f3e594\"\r\n\t\thash2 = \"396116cfb51cee090822913942f6ccf81856c2fb\"\r\n\t\thash3 = \"fef9c3b4b35c226501f7d60816bb00331a904d5b\"\r\n\t\thash4 = \"7c9a13f1fdd6452fb6d62067f958bfc5fec1d24e\"\r\n\t\thash5 = \"5257ba027abe3a2cf397bfcae87b13ab9c1e9019\"\r\n\tstrings:\r\n\t\t$s5 = \"WPVWhhiA\" fullword ascii\r\n\t\t$s6 = \"VPWVhhiA\" fullword ascii\r\n\t\t$s11 = \"VPhhiA\" fullword ascii\r\n\t\t$s12 = \"uUhXiA\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060759",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e57-965c-4f0c-9ba8-4bb0950d210b",
|
|
"value": "rule APT30_Sample_17 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 23813c5bf6a7af322b40bd2fd94bd42e\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"c3aa52ff1d19e8fc6704777caf7c5bd120056845\"\r\n\tstrings:\r\n\t\t$s1 = \"Nkfvtyvn}]ty}ztU\" fullword ascii\r\n\t\t$s4 = \"IEXPL0RE\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060778",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e6a-0e78-45ab-b2dd-49a6950d210b",
|
|
"value": "rule APT30_Sample_18 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file b2138a57f723326eda5a26d2dec56851\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"355436a16d7a2eba8a284b63bb252a8bb1644751\"\r\n\tstrings:\r\n\t\t$s0 = \"w.km-nyc.com\" fullword ascii\r\n\t\t$s1 = \"tscv.exe\" fullword ascii\r\n\t\t$s2 = \"Exit/app.htm\" ascii\r\n\t\t$s3 = \"UBD:\\\\D\" ascii\r\n\t\t$s4 = \"LastError\" ascii\r\n\t\t$s5 = \"MicrosoftHaveAck\" ascii\r\n\t\t$s7 = \"HHOSTR\" ascii\r\n\t\t$s20 = \"XPL0RE.\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1521406650",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e76-8e70-4be8-833d-4358950d210b",
|
|
"value": "rule APT30_Generic_G {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 53f1358cbc298da96ec56e9a08851b4b\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"1612b392d6145bfb0c43f8a48d78c75f\"\r\n\t\thash2 = \"53f1358cbc298da96ec56e9a08851b4b\"\r\n\t\thash3 = \"c2acc9fc9b0f050ec2103d3ba9cb11c0\"\r\n\t\thash4 = \"f18be055fae2490221c926e2ad55ab11\"\r\n\tstrings:\r\n\t\t$s0 = \"%s\\\\%s\\\\%s=%s\" fullword ascii\r\n\t\t$s1 = \"Copy File %s OK!\" fullword ascii\r\n\t\t$s2 = \"%s Space:%uM,FreeSpace:%uM\" fullword ascii\r\n\t\t$s4 = \"open=%s\" fullword ascii\r\n\t\t$s5 = \"Maybe a Encrypted Flash Disk\" fullword ascii\r\n\t\t$s12 = \"%04u-%02u-%02u %02u:%02u:%02u\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060803",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e83-5774-44f3-9cd9-49c8950d210b",
|
|
"value": "rule APT30_Sample_19 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 5d4f2871fd1818527ebd65b0ff930a77\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"cfa438449715b61bffa20130df8af778ef011e15\"\r\n\tstrings:\r\n\t\t$s0 = \"C:\\\\Program Files\\\\Common Files\\\\System\\\\wab32\" fullword ascii\r\n\t\t$s1 = \"%s,Volume:%s,Type:%s,TotalSize:%uMB,FreeSize:%uMB\" fullword ascii\r\n\t\t$s2 = \"\\\\TEMP\\\\\" fullword ascii\r\n\t\t$s3 = \"\\\\Temporary Internet Files\\\\\" fullword ascii\r\n\t\t$s5 = \"%s TotalSize:%u Bytes\" fullword ascii\r\n\t\t$s6 = \"This Disk Maybe a Encrypted Flash Disk!\" fullword ascii\r\n\t\t$s7 = \"User:%-32s\" fullword ascii\r\n\t\t$s8 = \"\\\\Desktop\\\\\" fullword ascii\r\n\t\t$s9 = \"%s.%u_%u\" fullword ascii\r\n\t\t$s10 = \"Nick:%-32s\" fullword ascii\r\n\t\t$s11 = \"E-mail:%-32s\" fullword ascii\r\n\t\t$s13 = \"%04u-%02u-%02u %02u:%02u:%02u\" fullword ascii\r\n\t\t$s14 = \"Type:%-8s\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and 8 of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060815",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129e8f-c6e4-4dd2-beae-4330950d210b",
|
|
"value": "rule APT30_Generic_E_v2 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 71f25831681c19ea17b2f2a84a41bbfb\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"eca53a9f6251ddf438508b28d8a483f91b99a3fd\"\r\n\tstrings:\r\n\t\t$s0 = \"Nkfvtyvn}duf_Z}{Ys\" fullword ascii\r\n\t\t$s1 = \"Nkfvtyvn}*Zrswru1i\" fullword ascii\r\n\t\t$s2 = \"Nkfvtyvn}duf_Z}{V\" fullword ascii\r\n\t\t$s3 = \"Nkfvtyvn}*ZrswrumT\\\\b\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060833",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129ea1-51bc-4b68-8035-47c6950d210b",
|
|
"value": "rule APT30_Sample_20 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 5ae51243647b7d03a5cb20dccbc0d561\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"b1c37632e604a5d1f430c9351f87eb9e8ea911c0\"\r\n\tstrings:\r\n\t\t$s0 = \"dizhi.gif\" fullword ascii\r\n\t\t$s2 = \"Mozilla/u\" ascii\r\n\t\t$s3 = \"XicrosoftHaveAck\" ascii\r\n\t\t$s4 = \"flyeagles\" ascii\r\n\t\t$s10 = \"iexplore.\" ascii\r\n\t\t$s13 = \"WindowsGV\" fullword ascii\r\n\t\t$s16 = \"CatePipe\" fullword ascii\r\n\t\t$s17 = \"'QWERTY:/webpage3\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060843",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129eab-bd14-43c0-8990-4b5d950d210b",
|
|
"value": "rule APT30_Sample_21 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 78c4fcee5b7fdbabf3b9941225d95166\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"d315daa61126616a79a8582145777d8a1565c615\"\r\n\tstrings:\r\n\t\t$s0 = \"Service.dll\" fullword ascii\r\n\t\t$s1 = \"(%s:%s %s)\" fullword ascii\r\n\t\t$s2 = \"%s \\\"%s\\\",%s %s\" fullword ascii\r\n\t\t$s5 = \"Proxy-%s:%u\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060859",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129ebb-f4f8-44ad-bf3e-496b950d210b",
|
|
"value": "rule APT30_Sample_22 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file fad06d7b4450c4631302264486611ec3\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"0d17a58c24753e5f8fd5276f62c8c7394d8e1481\"\r\n\tstrings:\r\n\t\t$s1 = \"(\\\\TEMP\" fullword ascii\r\n\t\t$s2 = \"Windows\\\\Cur\" fullword ascii\r\n\t\t$s3 = \"LSSAS.exeJ\" fullword ascii\r\n\t\t$s4 = \"QC:\\\\WINDOWS\" fullword ascii\r\n\t\t$s5 = \"System Volume\" fullword ascii\r\n\t\t$s8 = \"PROGRAM FILE\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060868",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129ec5-0334-4b38-87d1-4e78950d210b",
|
|
"value": "rule APT30_Generic_F {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 4c10a1efed25b828e4785d9526507fbc\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"09010917cd00dc8ddd21aeb066877aa2\"\r\n\t\thash2 = \"4c10a1efed25b828e4785d9526507fbc\"\r\n\t\thash3 = \"b7b282c9e3eca888cbdb5a856e07e8bd\"\r\n\t\thash4 = \"df1799845b51300b03072c6569ab96d5\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\~zlzl.exe\" fullword ascii\r\n\t\t$s2 = \"\\\\Internet Exp1orer\" fullword ascii\r\n\t\t$s3 = \"NodAndKabIsExcellent\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060889",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129ed9-655c-4661-a388-48ce950d210b",
|
|
"value": "rule APT30_Sample_23 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file a5ca2c5b4d8c0c1bc93570ed13dcab1a\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"9865e24aadb4480bd3c182e50e0e53316546fc01\"\r\n\tstrings:\r\n\t\t$s0 = \"hostid\" ascii\r\n\t\t$s1 = \"\\\\Window\" ascii\r\n\t\t$s2 = \"%u:%u%s\" fullword ascii\r\n\t\t$s5 = \"S2tware\\\\Mic\" ascii\r\n\t\t$s6 = \"la/4.0 (compa\" ascii\r\n\t\t$s7 = \"NameACKernel\" fullword ascii\r\n\t\t$s12 = \"ToWideChc[lo\" fullword ascii\r\n\t\t$s14 = \"help32SnapshotfL\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060908",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129eec-6adc-45f4-b96d-4ec0950d210b",
|
|
"value": "rule APT30_Sample_24 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 062fe1336459a851bd0ea271bb2afe35\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"572caa09f2b600daa941c60db1fc410bef8d1771\"\r\n\tstrings:\r\n\t\t$s1 = \"dizhi.gif\" fullword ascii\r\n\t\t$s3 = \"Mozilla/4.0\" fullword ascii\r\n\t\t$s4 = \"lyeagles\" fullword ascii\r\n\t\t$s6 = \"HHOSTR\" ascii\r\n\t\t$s7 = \"#MicrosoftHaveAck7\" ascii\r\n\t\t$s8 = \"iexplore.\" fullword ascii\r\n\t\t$s17 = \"ModuleH\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060919",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129ef7-18e4-4524-8ca5-459c950d210b",
|
|
"value": "rule APT30_Sample_25 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file c4c068200ad8033a0f0cf28507b51842\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"44a21c8b3147fabc668fee968b62783aa9d90351\"\r\n\tstrings:\r\n\t\t$s1 = \"C:\\\\WINDOWS\" fullword ascii\r\n\t\t$s2 = \"aragua\" fullword ascii\r\n\t\t$s4 = \"\\\\driver32\\\\7$\" fullword ascii\r\n\t\t$s8 = \"System V\" fullword ascii\r\n\t\t$s9 = \"Compu~r\" fullword ascii\r\n\t\t$s10 = \"PROGRAM L\" fullword ascii\r\n\t\t$s18 = \"GPRTMAX\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444060928",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56129f00-adec-493f-86d0-4534950d210b",
|
|
"value": "rule APT30_Sample_26 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 428fc53c84e921ac518e54a5d055f54a\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"e26588113417bf68cb0c479638c9cd99a48e846d\"\r\n\tstrings:\r\n\t\t$s1 = \"forcegue\" fullword ascii\r\n\t\t$s3 = \"Windows\\\\Cur\" fullword ascii\r\n\t\t$s4 = \"System Id\" fullword ascii\r\n\t\t$s5 = \"Software\\\\Mic\" fullword ascii\r\n\t\t$s6 = \"utiBy0ToWideCh&$a\" fullword ascii\r\n\t\t$s10 = \"ModuleH\" fullword ascii\r\n\t\t$s15 = \"PeekNamed6G\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061264",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a051-f0a4-415c-aa8c-4f54950d210b",
|
|
"value": "rule APT30_Generic_D {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 597805832d45d522c4882f21db800ecf\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"35dfb55f419f476a54241f46e624a1a4\"\r\n\t\thash2 = \"4fffcbdd4804f6952e0daf2d67507946\"\r\n\t\thash3 = \"597805832d45d522c4882f21db800ecf\"\r\n\t\thash4 = \"6bd422d56e85024e67cc12207e330984\"\r\n\t\thash5 = \"82e13f3031130bd9d567c46a9c71ef2b\"\r\n\t\thash6 = \"b79d87ff6de654130da95c73f66c15fa\"\r\n\tstrings:\r\n\t\t$s0 = \"Windows Security Service Feedback\" fullword wide\r\n\t\t$s1 = \"wssfmgr.exe\" fullword wide\r\n\t\t$s2 = \"\\\\rb.htm\" fullword ascii\r\n\t\t$s3 = \"rb.htm\" fullword ascii\r\n\t\t$s4 = \"cook5\" ascii\r\n\t\t$s5 = \"5, 4, 2600, 0\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061276",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a05c-56ac-4e07-a564-4c75950d210b",
|
|
"value": "rule APT30_Sample_27 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file d38e02eac7e3b299b46ff2607dd0f288\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"959573261ca1d7e5ddcd19447475b2139ca24fe1\"\r\n\tstrings:\r\n\t\t$s0 = \"Mozilla/4.0\" fullword ascii\r\n\t\t$s1 = \"dizhi.gif\" fullword ascii\r\n\t\t$s5 = \"oftHaveAck+\" ascii\r\n\t\t$s10 = \"HlobalAl\" fullword ascii\r\n\t\t$s13 = \"$NtRND1$\" fullword ascii\r\n\t\t$s14 = \"_NStartup\" fullword ascii\r\n\t\t$s16 = \"GXSYSTEM\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061285",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a065-bc94-4426-b648-4aa5950d210b",
|
|
"value": "rule APT30_Sample_28 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file e62a63307deead5c9fcca6b9a2d51fb0\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"e62a63307deead5c9fcca6b9a2d51fb0\"\r\n\t\thash2 = \"5b590798da581c894d8a87964763aa8b\"\r\n\tstrings:\r\n\t\t$s0 = \"www.flyeagles.com\" fullword ascii\r\n\t\t$s1 = \"iexplore.exe\" fullword ascii\r\n\t\t$s2 = \"www.km-nyc.com\" fullword ascii\r\n\t\t$s3 = \"cmdLine.exe\" fullword ascii\r\n\t\t$s4 = \"Software\\\\Microsoft\\\\CurrentNetInf\" fullword ascii\r\n\t\t$s5 = \"/dizhi.gif\" ascii\r\n\t\t$s6 = \"/connect.gif\" ascii\r\n\t\t$s7 = \"USBTest.sys\" fullword ascii\r\n\t\t$s8 = \"/ver.htm\" fullword ascii\r\n\t\t$s11 = \"\\\\netscv.exe\" fullword ascii\r\n\t\t$s12 = \"/app.htm\" fullword ascii\r\n\t\t$s13 = \"\\\\netsvc.exe\" fullword ascii\r\n\t\t$s14 = \"/exe.htm\" fullword ascii\r\n\t\t$s18 = \"MicrosoftHaveAck\" fullword ascii\r\n\t\t$s19 = \"MicrosoftHaveExit\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and 7 of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061297",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a072-ab8c-4d30-a1be-42b2950d210b",
|
|
"value": "rule APT30_Sample_29 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 1b81b80ff0edf57da2440456d516cc90\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"44492c53715d7c79895904543843a321491cb23a\"\r\n\tstrings:\r\n\t\t$s0 = \"LSSAS.exe\" fullword ascii\r\n\t\t$s1 = \"Software\\\\Microsoft\\\\FlashDiskInf\" fullword ascii\r\n\t\t$s2 = \".petite\" fullword ascii\r\n\t\t$s3 = \"MicrosoftFlashExit\" fullword ascii\r\n\t\t$s4 = \"MicrosoftFlashHaveExit\" fullword ascii\r\n\t\t$s5 = \"MicrosoftFlashHaveAck\" fullword ascii\r\n\t\t$s6 = \"\\\\driver32\" fullword ascii\r\n\t\t$s7 = \"MicrosoftFlashZJ\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061309",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a07d-17dc-464f-b580-4a07950d210b",
|
|
"value": "rule APT30_Sample_30 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file bf8616bbed6d804a3dea09b230c2ab0c\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"3b684fa40b4f096e99fbf535962c7da5cf0b4528\"\r\n\tstrings:\r\n\t\t$s0 = \"5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)\" fullword wide\r\n\t\t$s3 = \"RnhwtxtkyLRRMf{jJ}ny\" fullword ascii\r\n\t\t$s4 = \"RnhwtxtkyLRRJ}ny\" fullword ascii\r\n\t\t$s5 = \"ZRLDownloadToFileA\" fullword ascii\r\n\t\t$s9 = \"5.1.2600.2180\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498161509",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a087-51a8-40ce-9708-44ef950d210b",
|
|
"value": "rule APT30_Sample_31 {\n\tmeta:\n\t\tdescription = \"FireEye APT30 Report Sample - file d8e68db503f4155ed1aeba95d1f5e3e4\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\n\t\tdate = \"2015/04/13\"\n\t\thash = \"8b4271167655787be1988574446125eae5043aca\"\n\tstrings:\n\t\t$s0 = \"\\\\ZJRsv.tem\" fullword ascii\n\t\t$s1 = \"forceguest\" fullword ascii\n\t\t$s4 = \"\\\\$NtUninstallKB570317$\" fullword ascii\n\t\t$s8 = \"[Can'tGetIP]\" fullword ascii\n\t\t$s14 = \"QWERTY:,'/\" fullword ascii\n\tcondition:\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061336",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a098-efbc-4615-a680-4382950d210b",
|
|
"value": "rule APT30_Generic_J {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file baff5262ae01a9217b10fcd5dad9d1d5\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash1 = \"49aca228674651cba776be727bdb7e60\"\r\n\t\thash2 = \"5c7a6b3d1b85fad17333e02608844703\"\r\n\t\thash3 = \"649fa64127fef1305ba141dd58fb83a5\"\r\n\t\thash4 = \"9982fd829c0048c8f89620691316763a\"\r\n\t\thash5 = \"baff5262ae01a9217b10fcd5dad9d1d5\"\r\n\t\thash6 = \"9982fd829c0048c8f89620691316763a\"\r\n\tstrings:\r\n\t\t$s0 = \"Launcher.EXE\" fullword wide\r\n\t\t$s1 = \"Symantec Security Technologies\" fullword wide\r\n\t\t$s2 = \"\\\\Symantec LiveUpdate.lnk\" fullword ascii\r\n\t\t$s3 = \"Symantec Service Framework\" fullword wide\r\n\t\t$s4 = \"\\\\ccSvcHst.exe\" fullword ascii\r\n\t\t$s5 = \"\\\\wssfmgr.exe\" fullword ascii\r\n\t\t$s6 = \"Symantec Corporation\" fullword wide\r\n\t\t$s7 = \"\\\\5.1.0.29\" fullword ascii\r\n\t\t$s8 = \"\\\\Engine\" fullword ascii\r\n\t\t$s9 = \"Copyright (C) 2000-2010 Symantec Corporation. All rights reserved.\" fullword wide\r\n\t\t$s10 = \"Symantec LiveUpdate\" fullword ascii\r\n\t\t$s11 = \"\\\\Norton360\" fullword ascii\r\n\t\t$s15 = \"BinRes\" fullword ascii\r\n\t\t$s16 = \"\\\\readme.lz\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061347",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a0a3-6f10-486d-90ee-4308950d210b",
|
|
"value": "rule APT30_Microfost {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 310a4a62ba3765cbf8e8bbb9f324c503\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"57169cb4b8ef7a0d7ebd7aa039d1a1efd6eb639e\"\r\n\tstrings:\r\n\t\t$s1 = \"Copyright (c) 2007 Microfost All Rights Reserved\" fullword wide\r\n\t\t$s2 = \"Microfost\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061376",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a0c0-f69c-4e04-a26c-4b80950d210b",
|
|
"value": "rule APT30_Generic_K {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file b5a343d11e1f7340de99118ce9fc1bbb\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"142bc01ad412799a7f9ffed994069fecbd5a2f93\"\r\n\tstrings:\r\n\t\t$x1 = \"Maybe a Encrypted Flash\" fullword ascii\r\n\t\r\n\t\t$s0 = \"C:\\\\Program Files\\\\Common Files\\\\System\\\\wab32\" fullword ascii\r\n\t\t$s1 = \"\\\\TEMP\\\\\" fullword ascii\r\n\t\t$s2 = \"\\\\Temporary Internet Files\\\\\" fullword ascii\r\n\t\t$s5 = \"%s Size:%u Bytes\" fullword ascii\r\n\t\t$s7 = \"$.DATA$\" fullword ascii\r\n\t\t$s10 = \"? Size:%u By s\" fullword ascii\r\n\t\t$s12 = \"Maybe a Encrypted Flash\" fullword ascii\r\n\t\t$s14 = \"Name:%-32s\" fullword ascii\r\n\t\t$s15 = \"NickName:%-32s\" fullword ascii\r\n\t\t$s19 = \"Email:%-32s\" fullword ascii\r\n\t\t$s21 = \"C:\\\\Prog\" ascii\r\n\t\t$s22 = \"$LDDATA$\" ascii\r\n\t\t$s31 = \"Copy File %s OK!\" fullword ascii\r\n\t\t$s32 = \"%s Space:%uM,FreeSpace:%uM\" fullword ascii\r\n\t\t$s34 = \"open=%s\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and ( all of ($x*) and 3 of ($s*) )\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061426",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a0f2-8998-4cad-8e50-4047950d210b",
|
|
"value": "rule APT30_Sample_33 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 5eaf3deaaf2efac92c73ada82a651afe\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"72c568ee2dd75406858c0294ccfcf86ad0e390e4\"\r\n\tstrings:\r\n\t\t$s0 = \"Version 4.7.3001\" fullword wide\r\n\t\t$s1 = \"msmsgr.exe\" fullword wide\r\n\t\t$s2 = \"MYUSER32.dll\" fullword ascii\r\n\t\t$s3 = \"MYADVAPI32.dll\" fullword ascii\r\n\t\t$s4 = \"CeleWare.NET1\" fullword ascii\r\n\t\t$s6 = \"MYMSVCRT.dll\" fullword ascii\r\n\t\t$s7 = \"Microsoft(R) is a registered trademark of Microsoft Corporation in the\" wide\r\n\t\t$s8 = \"WWW.CeleWare.NET1\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and 6 of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061436",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a0fc-c2f0-49df-85d0-4959950d210b",
|
|
"value": "rule APT30_Sample_34 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file a9e8e402a7ee459e4896d0ba83543684\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"216868edbcdd067bd2a9cce4f132d33ba9c0d818\"\r\n\tstrings:\r\n\t\t$s0 = \"dizhi.gif\" ascii\r\n\t\t$s1 = \"eagles.vip.nse\" ascii\r\n\t\t$s4 = \"o%S:S0\" ascii\r\n\t\t$s5 = \"la/4.0\" ascii\r\n\t\t$s6 = \"s#!<4!2>s02==<'s1\" ascii\r\n\t\t$s7 = \"HlobalAl\" ascii\r\n\t\t$s9 = \"vcMicrosoftHaveAck7\" ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061445",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a106-cea0-4b6a-bf0f-4575950d210b",
|
|
"value": "rule APT30_Sample_35 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - file 414854a9b40f7757ed7bfc6a1b01250f\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\thash = \"df48a7cd6c4a8f78f5847bad3776abc0458499a6\"\r\n\tstrings:\r\n\t\t$s0 = \"WhBoyIEXPLORE.EXE.exe\" fullword ascii\r\n\t\t$s5 = \"Startup>A\" fullword ascii\r\n\t\t$s18 = \"olhelp32Snapshot\" fullword ascii\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061587",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a193-de60-4958-a80d-4b60950d210b",
|
|
"value": "rule APT30_Generic_1 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 08b54f9b2b3fb19e388d390d278f3e44, 11876eaadeac34527c28f4ddfadd1e8d, 28f2396a1e306d05519b97a3a46ee925, 80e39b656f9a77503fa3e6b7dd123ee3, d591dc11ecffdfaf1626c1055417a50d, 8e2eee994cd1922e82dea58705cc9631, e9e514f8b1561011b4f034263c33a890\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"aaa5c64200ff0818c56ebe4c88bcc1143216c536\"\r\n\t\thash1 = \"cb4263cab467845dae9fae427e3bbeb31c6a14c2\"\r\n\t\thash2 = \"b69b95db8a55a050d6d6c0cba13d73975b8219ca\"\r\n\t\thash3 = \"5c29e21bbe8873778f9363258f5e570dddcadeb9\"\r\n\t\thash4 = \"d5cb07d178963f2dea2c754d261185ecc94e09d6\"\r\n\t\thash5 = \"626dcdd7357e1f8329e9137d0f9883f57ec5c163\"\r\n\t\thash6 = \"843997b36ed80d3aeea3c822cb5dc446b6bfa7b9\"\r\n\tstrings:\r\n\t\t$s0 = \"%s\\\\%s.txt\" fullword\r\n\t\t$s1 = \"\\\\ldsysinfo.txt\" fullword\r\n\t\t$s4 = \"(Extended Wansung)\" fullword\r\n\t\t$s6 = \"Computer Name:\" fullword\r\n\t\t$s7 = \"%s %uKB %04u-%02u-%02u %02u:%02u\" fullword\r\n\t\t$s8 = \"ASSAMESE\" fullword\r\n\t\t$s9 = \"BELARUSIAN\" fullword\r\n\t\t$s10 = \"(PR China)\" fullword\r\n\t\t$s14 = \"(French)\" fullword\r\n\t\t$s15 = \"AdvancedServer\" fullword\r\n\t\t$s16 = \"DataCenterServer\" fullword\r\n\t\t$s18 = \"(Finland)\" fullword\r\n\t\t$s19 = \"%s %04u-%02u-%02u %02u:%02u\" fullword\r\n\t\t$s20 = \"(Chile)\" fullword\r\n\tcondition:\r\n\t\tfilesize < 250KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061601",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a1a1-b348-4e78-89dd-44ce950d210b",
|
|
"value": "rule APT30_Generic_2 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from many files\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"aba8b9fa213e5e2f1f0404d13fecc20ea8651b57\"\r\n\t\thash1 = \"7f11f5c9475240e5dd2eea7726c9229972cffc1f\"\r\n\t\thash2 = \"94d3f91d1e50ecea729617729013c3d143bf2c3e\"\r\n\t\thash3 = \"7e516ec04f28c76d67b8111ddfe58bbd628362cc\"\r\n\t\thash4 = \"6b27bc0b0460b0a25b45d897ed4f399106c284d9\"\r\n\t\thash5 = \"6df5b4b3da0964153bad22fb1f69483ae8316655\"\r\n\t\thash6 = \"b68bce61dfd8763c3003480ba4066b3cb1ef126e\"\r\n\t\thash7 = \"cc124682246d098740cfa7d20aede850d49b6597\"\r\n\t\thash8 = \"1ef415bca310575944934fc97b0aa720943ba512\"\r\n\t\thash9 = \"0559ab9356dcc869da18b2c96f48b76478c472b3\"\r\n\t\thash10 = \"f15272042a4f9324ad5de884bd50f4072f4bdde3\"\r\n\t\thash11 = \"1d93d5f5463cdf85e3c22c56ed1381957f4efaac\"\r\n\t\thash12 = \"b6f1fb0f8a2fb92a3c60e154f24cfbca1984529f\"\r\n\t\thash13 = \"9967a99a1b627ddb6899919e32a0f544ea498b48\"\r\n\t\thash14 = \"95a3c812ca0ad104f045b26c483495129bcf37ca\"\r\n\t\thash15 = \"bde9a72b2113d18b4fa537cc080d8d8ba1a231e8\"\r\n\t\thash16 = \"ce1f53e06feab1e92f07ed544c288bf39c6fce19\"\r\n\t\thash17 = \"72dae031d885dbf492c0232dd1c792ab4785a2dc\"\r\n\t\thash18 = \"a2ccba46e40d0fb0dd3e1dba160ecbb5440862ec\"\r\n\t\thash19 = \"c8007b59b2d495029cdf5b7b8fc8a5a1f7aa7611\"\r\n\t\thash20 = \"9c6f470e2f326a055065b2501077c89f748db763\"\r\n\t\thash21 = \"af3e232559ef69bdf2ee9cd96434dcec58afbe5a\"\r\n\t\thash22 = \"e72e67ba32946c2702b7662c510cc1242cffe802\"\r\n\t\thash23 = \"8fc0b1618b61dce5f18eba01809301cb7f021b35\"\r\n\t\thash24 = \"6a8159da055dac928ba7c98ea1cdbe6dfb4a3c22\"\r\n\t\thash25 = \"47463412daf0b0a410d3ccbb7ea294db5ff42311\"\r\n\t\thash26 = \"e6efa0ccfddda7d7d689efeb28894c04ebc72be2\"\r\n\t\thash27 = \"43a3fc9a4fee43252e9a570492e4efe33043e710\"\r\n\t\thash28 = \"7406ebef11ca9f97c101b37f417901c70ab514b1\"\r\n\t\thash29 = \"53ed9b22084f89b4b595938e320f20efe65e0409\"\r\n\tstrings:\r\n\t\t$s0 = \"%s\\\\%s\\\\KB985109.log\" fullword\r\n\t\t$s1 = \"%s\\\\%s\\\\KB989109.log\" fullword\r\n\t\t$s2 = \"Opera.exe\" fullword wide\r\n\t\t$s3 = \"%s:All online success on %u!\" fullword\r\n\t\t$s4 = \"%s:list online success on %u!\" fullword\r\n\t\t$s5 = \"%s:All online fail!\" fullword\r\n\t\t$s6 = \"Copyright Opera Software 1995-\" fullword wide\r\n\t\t$s7 = \"%s:list online fail!\" fullword\r\n\t\t$s8 = \"OnlineTmp.txt\" fullword\r\n\t\t$s9 = \"Opera Internet Browser\" fullword wide\r\n\t\t$s12 = \"Opera Software\" fullword wide\r\n\t\t$s15 = \"Check lan have done!!!\" fullword\r\n\t\t$s16 = \"List End.\" fullword\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061622",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a1b6-5864-4029-9ef4-4e71950d210b",
|
|
"value": "rule APT30_Generic_3 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 6e689351d94389ac6fdc341b859c7f6f, a813eba27b2166620bd75029cc1f04b0, b4ae0004094b37a40978ef06f311a75e\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"b90ac3e58ed472829e2562023e6e892d2d61ac44\"\r\n\t\thash1 = \"342036ace2e9e6d504b0dec6399e4fa92de46c12\"\r\n\t\thash2 = \"5cdf397dfd9eb66ff5ff636777f6982c1254a37a\"\r\n\tstrings:\r\n\t\t$s0 = \"Acrobat.exe\" fullword wide\r\n\t\t$s14 = \"********************************\" fullword\r\n\t\t$s16 = \"FFFF:>>>>>>>>>>>>>>>>>@\" fullword\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061633",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a1c1-38ac-4e9c-a08f-4d01950d210b",
|
|
"value": "rule APT30_Generic_4 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 021e134c48cd9ce9eaf6a1c105197e5d, 7c307ca84f922674049c0c43ca09bec1, b8617302180d331e197cc0433fc5023d, e6289e7f9f26be692cbe6f335a706014\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"bb390f99bfde234bbed59f6a0d962ba874b2396c\"\r\n\t\thash1 = \"b47e20ac5889700438dc241f28f4e224070810d2\"\r\n\t\thash2 = \"a9a50673ac000a313f3ddba55d63d9773b9f4143\"\r\n\t\thash3 = \"ac96d7f5957aef09bd983465c497de24c6d17a92\"\r\n\tstrings:\r\n\t\t$s0 = \"del NetEagle_Scout.bat\" fullword\r\n\t\t$s1 = \"NetEagle_Scout.bat\" fullword\r\n\t\t$s2 = \"\\\\visit.exe\" fullword\r\n\t\t$s3 = \"\\\\System.exe\" fullword\r\n\t\t$s4 = \"\\\\System.dat\" fullword\r\n\t\t$s5 = \"\\\\ieupdate.exe\" fullword\r\n\t\t$s6 = \"GOTO ERROR\" fullword\r\n\t\t$s7 = \":ERROR\" fullword\r\n\t\t$s9 = \"IF EXIST \" fullword\r\n\t\t$s10 = \"ioiocn\" fullword\r\n\t\t$s11 = \"SetFileAttribute\" fullword\r\n\t\t$s12 = \"le_0*^il\" fullword\r\n\t\t$s13 = \"le_.*^il\" fullword\r\n\t\t$s14 = \"le_-*^il\" fullword\r\n\tcondition:\r\n\t\tfilesize < 250KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061644",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a1cc-ca6c-4df4-8f67-4c43950d210b",
|
|
"value": "rule APT30_Generic_5 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 592381dfa14e61bce089cd00c9b118ae, b493ad490b691b8732983dcca8ea8b6f, b83d43e3b2f0b0a0e5cc047ef258c2cb\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"cb4833220c508182c0ccd4e0d5a867d6c4e675f8\"\r\n\t\thash1 = \"dfc9a87df2d585c479ab02602133934b055d156f\"\r\n\t\thash2 = \"bf59d5ff7d38ec5ffb91296e002e8742baf24db5\"\r\n\tstrings:\r\n\t\t$s0 = \"regsvr32 /s \\\"%ProgramFiles%\\\\Norton360\\\\Engine\\\\5.1.0.29\\\\ashelper.dll\\\"\" fullword\r\n\t\t$s1 = \"name=\\\"ftpserver.exe\\\"/>\" fullword\r\n\t\t$s2 = \"LiveUpdate.EXE\" fullword wide\r\n\t\t$s3 = \"<description>FTP Explorer</description>\" fullword\r\n\t\t$s4 = \"\\\\ashelper.dll\" fullword\r\n\t\t$s5 = \"LiveUpdate\" fullword wide\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061654",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a1d6-2720-41d3-ae16-4a3b950d210b",
|
|
"value": "rule APT30_Generic_6 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 168d207d0599ed0bb5bcfca3b3e7a9d3, 1e6ee89fddcf23132ee12802337add61, 5dd625af837e164dd2084b1f44a45808\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"b9aafb575d3d1732cb8fdca5ea226cebf86ea3c9\"\r\n\t\thash1 = \"2c5e347083b77c9ead9e75d41e2fabe096460bba\"\r\n\t\thash2 = \"5d39a567b50c74c4a921b5f65713f78023099933\"\r\n\tstrings:\r\n\t\t$s0 = \"GetStar\" fullword\r\n\t\t$s1 = \".rdUaS\" fullword\r\n\t\t$s2 = \"%sOTwp/&A\\\\L\" fullword\r\n\t\t$s3 = \"a Encrt% Flash Disk\" fullword\r\n\t\t$s4 = \"ypeAutoRuChec\" fullword\r\n\t\t$s5 = \"NoDriveT\" fullword\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061674",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a1ea-4df4-4a7c-844b-4ed8950d210b",
|
|
"value": "rule APT30_Generic_7 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 853a20f5fc6d16202828df132c41a061, 9c0cad1560cd0ffe2aa570621ef7d0a0, b590c15499448639c2748ff9e0d214b2\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"2415f661046fdbe3eea8cd276b6f13354019b1a6\"\r\n\t\thash1 = \"e814914079af78d9f1b71000fee3c29d31d9b586\"\r\n\t\thash2 = \"0263de239ccef669c47399856d481e3361408e90\"\r\n\tstrings:\r\n\t\t$s1 = \"Xjapor_*ata\" fullword\r\n\t\t$s2 = \"Xjapor_o*ata\" fullword\r\n\t\t$s4 = \"Ouopai\" fullword\r\n\tcondition:\r\n\t\tfilesize < 100KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061684",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a1f4-1d20-406b-bff3-43e5950d210b",
|
|
"value": "rule APT30_Generic_8 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 7c307ca84f922674049c0c43ca09bec1, b8617302180d331e197cc0433fc5023d, e6289e7f9f26be692cbe6f335a706014\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"b47e20ac5889700438dc241f28f4e224070810d2\"\r\n\t\thash1 = \"a9a50673ac000a313f3ddba55d63d9773b9f4143\"\r\n\t\thash2 = \"ac96d7f5957aef09bd983465c497de24c6d17a92\"\r\n\tstrings:\r\n\t\t$s0 = \"Windows NT4.0\" fullword\r\n\t\t$s1 = \"Windows NT3.51\" fullword\r\n\t\t$s2 = \"%d;%d;%d;%ld;%ld;%ld;\" fullword\r\n\t\t$s3 = \"%s %d.%d Build%d %s\" fullword\r\n\t\t$s4 = \"MSAFD Tcpip [TCP/IP]\" fullword\r\n\t\t$s5 = \"SQSRSS\" fullword\r\n\t\t$s8 = \"WM_COMP\" fullword\r\n\t\t$s9 = \"WM_MBU\" fullword\r\n\t\t$s11 = \"WM_GRID\" fullword\r\n\t\t$s12 = \"WM_RBU\" fullword\r\n\tcondition:\r\n\t\tfilesize < 250KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1444061696",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5612a200-45d8-4838-92b6-47ef950d210b",
|
|
"value": "rule APT30_Generic_9 {\r\n\tmeta:\r\n\t\tdescription = \"FireEye APT30 Report Sample - from files 0cdc35ffc222a714ee138b57d29c8749, 10aa368899774463a355f1397e6e5151, 3166baffecccd0934bdc657c01491094, d28d67b4397b7ce1508d10bf3054ffe5\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf\"\r\n\t\tdate = \"2015/04/13\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"00d9949832dc3533592c2ce06a403ef19deddce9\"\r\n\t\thash1 = \"27a2b981d4c0bb8c3628bfe990db4619ddfdff74\"\r\n\t\thash2 = \"05f66492c163ec2a24c6a87c7a43028c5f632437\"\r\n\t\thash3 = \"263f094da3f64e72ef8dc3d02be4fb33de1fdb96\"\r\n\tstrings:\r\n\t\t$s0 = \"%s\\\\%s\\\\$NtRecDoc$\" fullword\r\n\t\t$s1 = \"%s(%u)%s\" fullword\r\n\t\t$s2 = \"http://%s%s%s\" fullword\r\n\t\t$s3 = \"1.9.1.17\" fullword wide\r\n\t\t$s4 = \"(C)Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL\" wide\r\n\tcondition:\r\n\t\tfilesize < 250KB and uint16(0) == 0x5A4D and all of them\r\n}"
|
|
}
|
|
]
|
|
}
|
|
} |